Securing IoT Devices at Scale

May 09, 2022

Blog

Cybersecurity is becoming a critical issue as our lives are increasingly mediated by digital devices and cloud servers. The Internet of Things (IoT) sector recognizes the importance of cybersecurity to our wellbeing, and to its growth, and so has started developing security standards, testing, and accreditation strategies to address it. Regulators around the world are also stepping up their game, developing and enacting legislation that holds IoT developers and ecosystem operators to account for the impact of the systems they implement, with sometimes draconian penalties for security failures.

One of the key challenges for companies developing IoT chips, devices, and creating IoT ecosystems with them, is to ensure their security when implemented at a massive scale. While a tabletop demo with a handful of devices may show that an IoT security strategy is valid, implementing that strategy at scale demands skills and tools that many organizations have yet to acquire. At the heart of the issue is the complexity involved in finding a way to securely create, distribute, and manage the unique identities and cryptographic keys necessary to protect IoT chips, devices, and ecosystems. The good news is that hardware and software solutions are emerging to make it easier for designers who are not security specialists to apply cutting-edge security technology and strategies to their IoT ecosystems now, and to manage them over the long term.

The Root of Cybersecurity: Identity and Trust

Trust lies at the heart of cybersecurity strategies, and identity lies at the heart of trust. Think of joining a conversation with a group of strangers: until we know with whom we are talking, we can’t trust that our contributions won’t be misused, misinterpreted, or misrepresented. The same is true in cybersecurity: to trust a device with valuable information, you first need to know that it is a legitimate member of an IoT ecosystem, not an untrusted device masquerading as one, or a clone of a legitimate device that is misusing a stolen identity.

One way to establish trust in the IoT is to give each legitimate device a unique identifier, which can be used to authenticate its legitimacy within the target ecosystem. The identifier can also act as the key building block in the generation of cryptographic keys which can be used to prove identity, secure the storage of secret information, ensure the privacy of communications, and provide the facilities necessary to log on to IoT cloud services. These functions, in turn, help ensure the integrity of data stored on and shared between IoT devices, which is vital to avoiding malicious attacks that involve spoofed data.

To reiterate, identity enables authentication, which builds trust, which in turn allows confidentiality (privacy), and so ensures the integrity of the information being stored or transmitted. So how do we establish strong and secure identities within IoT chips, devices, and ecosystems?

Implementing a Unique Identifier

There are two main ways to ensure a device has a unique identity. The first is to create that cryptographic provable identity in an off-chip system and then find a secure way for the device to have access to it, a process commonly known as ‘key injection’. This approach is widely used but demands that those who use it trust the security of the key injection process. If key injection is done in-house, this may be straightforward, but if it must be done in a contract manufacturing facility or fab halfway around the world, the necessary trust may be more difficult to establish and sustain.

Such identifiers are often injected into Secure Elements that protect them, using features such as encrypted storage and hardware designs that make physical and electrical hacking more difficult. Secure Elements are often integrated in a System on Chip (SoCs) alongside other specialist features, such as cryptographic accelerators, as part of its broader security infrastructure. Secure Elements are also available as standalone devices, such as ST’s STSAFE-A110, which can provide strong authentication facilities, help establish secure communications channels, secure data, and help verify digital signatures.

One drawback with key injection is its cost. It demands both hardware resources, such as on-chip memory or secure off-board storage, and highly specialist services, implemented with extreme rigor, to handle the key injection in a secure way.

The Key Injection Process

The challenge of key injection is that it is a complex process and customers must trust that the device maker can keep every step of it completely secure, throughout its physical facilities and its ICT infrastructure, and over the long term. It’s no use applying sophisticated key-injection strategies to protect your IoT ecosystem devices now if the company that did the injection on its production line allows its servers to be hacked a couple of years later. Sustaining such discipline is expensive.

To illustrate the complexity involved, let’s look at the key injection process ST has developed for its STM32MP1 range of secure microcontrollers, which include features that protect critical operations (cryptography algorithms), and can store critical data (secret keys) in one-time programmable areas of the chip.

ST says that its secure secret provisioning (SSP) strategy and toolchain enables secret data to be securely injected (that is with confidentiality, authentication, and integrity checks) into the devices, even in an untrusted environment such as a contract manufacturing site.

Flow diagram of ST’s SSP process

According to a high-level view taken from ST's application notes, the SSP process includes the following:

• SSP image (encrypted) available from the STM32 Trusted Package Creator tool
• Program the Hardware Security Module with an AES secret key
• Signed SSP secure firmware using the STM32MP1 signing tool
• Launch the SSP process
• ROM code loads the SSP secure firmware
• Device certificate
• STM32MP1 Series device authentication
• Provides the license concatenated with the SSP image (encrypted)
• Retrieves the AES decryption key and decrypts secrets
• Authenticates the secure firmware
• Programs the OTP from decrypted secrets

The exact details are less important than the way they illustrate the complexity involved in connecting securely to a device on a production line and programming it with data whose authenticity, confidentiality, and integrity have been preserved until it is unpacked in a secure area of the device.

Rambus also offers a Secure Silicon Provisioning Platform for injecting secret values into hardware modules or SoCs, but it works with a wider variety of devices. The company says it is the world’s largest third-party custom chip provisioner, already operates on multiple manufacturing lines, and has more than 60 customers.

The Platform enables security certificates to be generated and tracked by equipment installed directly on a module or SoC production line, to minimize the risk of the resultant devices being compromised.

The Rambus Security Silicon Provisioning Platform uses equipment installed on SoC production lines to inject keys

Rambus argues that its service, which operates within the fabs of 13 SoC partners, is making the ability to enable embedded security features and load secrets into devices on production lines more accessible. It says that this kind of programming service has otherwise only really been available to high-volume device and equipment makers that have developed their own key-injection infrastructures. Rambus also argues that, because it works with multiple SoC vendors, it can act as a common interface to the diverse security features included in devices from multiple vendors.

The Value of a Physical Unclonable Function

The second approach to giving a device a unique identity is to include a physical unclonable function (PUF) within it. This enables users to build their IoT ecosystem security architecture on top of an incontrovertible fact – that each device within it can be uniquely identified because of something about its physical hardware.

A PUF is usually made up of an addressable array of devices or circuit elements whose characteristics are strongly affected by random variations in the IC manufacturing process. With good design, this means that although highly resourced hackers could, in theory, probe and even copy an SoC layer by layer, they would still be unable to reproduce its unique identity, because it derives from characteristics produced by the device-to-device variability of the manufacturing process.

There are two main forms of PUF in use today. The first derives a unique identity by reading the logical state into which an array of SRAM cells settles when it is turned on. The challenge with this approach is to ensure that the cells continue to start up in the same state throughout the lifetime of the device. The approach may also not scale well on future deep submicron manufacturing processes.

The second approach, as used by Crypto Quantique's QDID offering, compares leakage currents through the insulating barriers of two devices, caused by quantum effects, and sets a binary value depending on which of the currents is greater. This approach generates a source of highly random yet robustly repeatable output states. It is also area-efficient, enabling designers to include a rich source of random values that can be used as the basis of both a unique identifier and multiple new cryptographic keys throughout the lifetime of the device.

Some Example Secure Devices

Macronix is using PUFs in its ArmorFlash offering, a standalone memory device that provides a secure identity, authentication, and an encrypted link for NOR, SLC NAND, or e.MMC flash memory. The product also uses a security protocol that ensures that every data transfer between it and a host is unique, even if the same location of its secure memory is being read out repeatedly. This prevents an attacker gathering information about how often specific data locations are being read by the device. nVidia announced in 2019 that it would use ArmorFlash to protect the security of data used in its autonomous driving platforms, taking advantage of its cryptographic capabilities, integrity checks, and ability to create secure communication channels and protocols.

Silex Insight is offering what it says is a single module for SoC security, delivered as a semiconductor IP block to incorporate in an SoC.

Silex insight’s eSecure block relies on a PUF

The block builds its security around a PUF, and includes secure key storage, a secure CPU, and a choice of cryptography acceleration cores. It also has features such as the ability to boot securely, access secure storage over private interfaces, handle over-the-air software updates securely, and enable secure debugging.

Renesas offers 32bit microcontrollers, the RX range (proprietary CPU core) and RA range (ARM core), which includes its Renesas Secure IP (RSIP), proprietary hardware for securing digital identities and cryptographic keys. It also has features that protect authentication programs from being tampered with. Renesas says that its RX/RA range with RSIP protection can be used to build a system with a Root of Trust that provides self-sustaining security.

Renesas also emphasizes the role the RX/RA parts can play in effective ‘digital lifecycle management’, that is the maintenance of IoT device and ecosystem security throughout its operating lifetime.

Renesas’ view of digital lifecycle management for IoT devices

The diagram outlines the major phases of digital lifecycle management: key generation during design:

• Secure uploading of keys and firmware during manufacture
• Key management for each device to prevent counterfeiting
• Secure operation in the field, to prevent eavesdropping on communications
• Secure firmware updates in the field
• Solutions that make it easier to deploy devices
• End-of-life management

The Enrollment Issue

Renesas’ emphasis on managing the deployment of IoT devices reveals another key issue when deploying IoT devices at scale: many IoT device developers will run their IoT ecosystems through a third-party IoT hub service such as Microsoft Azure or Amazon Web Services. Enrolling devices with these services involves a complex series of exchanges to authenticate each device, check that it has not been tampered with, create certificates, and then use them to establish secure communications.

Renesas, STMicroelectronics, Macronix, and Silex Insight have chosen Crypto Quantique's QuarkLink platform to help their customers provision, onboard, and manage devices from chip-to-cloud without specialist cryptographic knowledge. The diagram below shows the processes involved in readying a device that is using Silex Insight’s eSecure IP for connection to, and management by an IoT hub service.

How QuarkLink handles the complex process of enrolling IoT devices on IoT hubs

As the IoT grows, so does the importance of securing IoT devices. The challenge in achieving this is to ensure that arbitrary devices, operating at arbitrary locations, and communicating over arbitrary links, can nonetheless remain secure.

The good news is that the semiconductor industry is responding to this challenge by introducing a wide variety of standard products that include security features, as well as semiconductor IP blocks for including security features in SoCs. The industry is also developing a variety of strategies for equipping the devices with the unique identifiers and cryptographic keys needed to underpin those security features.

The even better news is that tools and services are emerging that can help developers who don't have in-house security experience to, nonetheless, protect and manage their IoT devices and ecosystems using cutting-edge security techniques.